The DNS traffic on FortiGate is self-originating, meaning it originates from FortiGate itself. See: Self-originating traffic for more information

Self-originating traffic uses the exit interface IP address as the source address by default.

When this traffic attempts to traverse an IPsec tunnel, it fails because IPsec tunnel interfaces do not have an IP address by default.

In this example, an attempt is made to reach the DNS server on 192.168.1.58, which lies on the other side of the IPsec tunnel. Upon entering it in DNS settings, it shows as unreachable:

To fix this, assign an interface IP address to the IPsec tunnel interface.

For this, go to Network -> Interfaces.
Choose the IPsec tunnel and select Edit. In the edit window, provide an IP address to the interface and remote side. Give it any IP address in a subnet that is not being used anywhere else in the environment. In this example, it will be given an IP of 192.168.101.1 to the local side and 192.168.101.2 to the remote side as shown below:

Local Side:

Remote side:

After that, if a Phase 2 selector has been in the IPsec tunnel, it is necessary to add these IP addresses in the Phase 2 selector to allow them access.

Additionally, it is necessary to add these IP addresses to the Firewall Policies if policies are in place to restrict traffic.

After that, the DNS server will start working.

An alternative solution is to add the source IP address to the DNS settings, allowing it through the IPsec tunnel Phase 2 selector:

config system DNS
    set primary 192.168.1.58
    set source-ip 192.168.10.1
end